Crown Church Privacy Notice
The Crown Church is committed to protecting and respecting your privacy. Our aim is to be as clear and open as possible about what we do with your personal data and why we do it.
This policy sets out the basis on which any personal data we collect from you, or that you provide to us, will be processed by us. Please read the following carefully to understand our views and practices regarding your personal data and how we will treat it.
The rules on processing of personal data are set out in the General Data Protection Regulation (the “GDPR”). A glossary of terms used can be found at the end of this document.
2. Who are we?
The Crown Church is the data controller (contact details below). This means we decide how your personal data is processed and for what purposes.
The Living Room
Charity Number: 1095028
Company Number: 04529503
3. How we collect your personal data
a. Directly from you
We collect personal information each time you deal with us, for example when you provide your contact details in writing to church staff or volunteers; request materials or information; sign up for an event; apply for a job with us; make a donation; use our check-in system for you or your children; or otherwise provide your personal details.
b. From website interaction from us
We collect non-personal data such as IP addresses, details of pages visited and files downloaded. Website usage information is collected using cookies, see the section on Cookies below.
c. Indirectly from third parties
Third Party Processor Purpose For More Information GoCardless Direct Debit processing https://gocardless.com/legal/privacy/ Stripe On-line credit/debit card payment processing https://stripe.com/gb/privacy iZettle Apple Pay / Android Pay / Card Reader payment processing https://www.izettle.com/gb/privacy-policy Stewardship Receiving funds from Stewardship Giving accounts https://www.stewardship.org.uk/privacy/ Charities Aid Foundation (CAF) Receiving funds from Payroll / Work Place Giving accounts https://www.cafonline.org/navigation/footer/privacy
4. Categories of personal data concerned
We process the following categories of your data:
a. Personal Data
Where you (or a third party) provide the information, we may collect personal data relating to yourself and/or your children, including: name, address, telephone / mobile number, gender, date of birth / age, marital status, online identifiers (IP address, email address, website cookies), donation / finance information, photo / video footage
b. Sensitive Data
Where you (or a third party) provide the information, we may collect sensitive data, including your religious beliefs, physical or mental health, sexual orientation, criminal offence / alleged criminal offence data (e.g. DBS checks), photo / video footage
5. How do we use your information?
The GDPR says that we are allowed to use and share your personal data only where we have a proper reason to do so. The law says we must have one or more of these reasons and these are:
- Contract - your personal information is processed in order to fulfil a contractual arrangement e.g. to hire our premises, for us to employ you
- Consent – where you agree to us using your information in this way e.g. for storing contact details of visitors to The Living Room, or for us to use your image on our website
- Legitimate Interests - this means the interests of Crown Church in managing the charity / organisation in the most secure and appropriate way e.g. to store your contact details in ChurchSuite – our church management software suite
- Legal Obligation – where there is statutory or other legal requirement to share the information e.g. when we have to share your information for law enforcement purposes or to store financial data in line with regulations set out by governing bodies
a. General Personal Data (article 6 of GDPR)
Here is a list of the ways that we may use your personal information, and which of the lawful reasons described above we rely on to do so. Where we list legitimate interests as a reason, we also describe below what we believe these legitimate interests are.
What We Use Your Personal Information For Our Reasons (Lawful Basis) Our Explanation of Crown’s Legitimate Interests or other relevant information Storing your personal data and information about your involvement in church activities and / or membership of Crown Church using ChurchSuite (our 3rd part church management suite). Legitimate Interests Process efficiency in dealing with such activity, keeping our records up to date To inform visitors to The Living Room of upcoming events at The Living Room / Crown Church Consent N/A To inform you by email / SMS of news, events, activities and services running at Crown Church. This may include transfers to Third Countries who undertake communications activities Legitimate Interests Working out which of our events may interest you and telling you about them. Developing a programme of events that attract visitors. Improving member interaction / attendance at our events To communicate with children (aged 11-17) regarding to youth events and related information (e.g. Roots Utd / Newday) Consent (parental consent if aged under 13) N/A Contact you to undertake surveys, invite you to provide feedback Legitimate Interests Working out which of our events may interest you and telling you about them. Developing a programme of events that attract visitors. Improving member interaction / attendance at our events To provide pastoral care to our attendees Legitimate Interests Ensuring that all members and attendees at Crown Church are supported, to care for their spiritual, physical and mental wellbeing To administer attendance/membership records to comply with our Safeguarding Policy (e.g. using our check-in system to register your children for activities) Legitimate Interests Keeping our records up to date, ensuring accurate register of children in attendance for emergency use To raise funds and promote the interests of the charity Legitimate Interests To inform you fundraising opportunities both within the church and directly linked to our charitable objectives which you may have an interest in supporting To manage our employees and volunteers 1. Legitimate Interests, 2. Contract, 3. Legal Obligation 1. Monitoring appraisal documentation for staff personal development, 2. Payroll processing, 3. Automatic Enrolment of workplace pension scheme To maintain our own accounts and records (including the processing of Gift Aid claims) 1. Legitimate Interests, 2. Legal Obligation 1. Process efficiency in dealing with such activity, keeping our records up to date, issuing donation statements for tax purposes. 2. Retaining information for 6 years from the end of the tax year in which a financial transaction was processed To manage rotas for our Sunday volunteer teams, mid-week small groups (known as Life Groups), community / training / outreach groups (e.g. Foodbank, Students & Youth groups Legitimate Interests Process efficiency in dealing with such activity, keeping our records up to date Applying for a job with us Legitimate Interests Process efficiency in dealing with such activity, checking references & qualifications, answering any questions you may have CCTV footage originating at The Living Room and any subsequent buildings owned by Crown Church Legitimate Interests For prevention of crime, and safety of premises and its users To broadcast Photo/video of church members/children within a church setting only Legitimate Interests Promotion of church events & activities to generate interest and maximise participation / attendance Collecting personal data of new members / individuals interested in attending an event or joining a group / team via Tell Me More forms or sign-up sheets Legitimate Interests Process efficiency in dealing with such activity, keeping our records up to date, maximise participation / attendance with church activities
b. Special categories of personal data (article 9 of GDPR)
Under Article 9 Para 2(d) of the GDPR we are permitted to process sensitive / special category data when it is;
"carried out in the course of its legitimate activities with appropriate safeguards by a not-for-profit body with a religious aim and on condition that the processing relates solely to the members or to former members of the body or to persons who have regular contact with it in connection with its purposes"
Here is a list of the ways that we may use your sensitive personal information, and which of the lawful reasons described above we rely on to do so. Where we list legitimate interests as a reason, we also describe below what we believe these legitimate interests are.
6. Sharing your personal data
Your personal data will be treated as strictly confidential, and will be shared only as follows:
a. Legal duty
We may need to pass on information if required by law or by a regulatory body. For example, a Gift Aid audit by the HMRC, or if asked for details by a law enforcement agency.
b. Our service providers
We do not sell or pass any of your personal information to any other organisations and/or individuals without your express consent. In line with our legal or contractual obligations, or our legitimate interests (as outlined in Section 5) we may transfer your data to our service providers for process efficiency. Where required we will have an additional Data Processing Contract / Agreement in place with them.
Where such details are shared we have confidentiality agreements in place that restrict the use of your information to the purpose for which it is provided and ensure it is stored securely and kept no longer than necessary. We may employ agents to carry out tasks on our behalf, such as processing donations. These agents are bound by contract to protect your data and we remain responsible for their actions.
Third Party Processor Purpose For More Information ChurchSuite UK based cloud database service https://churchsuite.com/tour/gdpr/security MailChimp US based Direct email service provider, (integrated with ChurchSuite) https://mailchimp.com/legal/privacy/ TextLocal UK based SMS delivery service, (integrated with ChurchSuite) https://www.textlocal.com/legal/terms-and-conditions/ Dataplan Payroll Ltd Processing payroll for Crown Church employees http://www.dataplanpayroll.co.uk/about-us/dataplan-privacy-policy B&CE (The People’s Pension) Processing Crown Church’s workplace pension scheme https://bandce.co.uk/privacy-policy/ Promoting Crown Church activities (including photo and video footage of Crown Church members) https://www.facebook.com/policy.php Promoting Crown Church activities (including photo and video footage of Crown Church members) https://twitter.com/en/privacy
7. How long do we keep your personal data?
We will keep your personal information only for as long as we consider it necessary to carry out each activity. We have a data retention policy to implement this. We take account of legal obligations and accounting and tax considerations as well as considering what would be reasonable for the activity concerned. For example:
Data Retention Period Accounting / Donation / Gift Aid records 6 years from the end of the current financial period Contact details / membership information For the duration of your membership / attendance / involvement with Crown Church and for a further period of one calendar year. Or if you object to processing or assert your right to be forgotten (see section 8) Safeguarding Data (e.g. DBS records) As long as is considered reasonably necessary for ongoing protection of children or adults at risk
8. Your rights and your personal data
Unless subject to an exemption under the GDPR, you have the following rights with respect to your personal data:
- The right to request a copy of the personal data which we hold about you;
- The right to request that we correct any personal data if it is found to be inaccurate or out of date;
- The right to request your personal data is erased where it is no longer necessary to retain such data;
- The right to withdraw your consent to the processing at any time, where consent was our lawful basis for processing the data;
- The right to request that we provide you with your personal data and where possible, to transmit that data directly to another data controller, (known as the right to data portability), (where applicable i.e. where the processing is based on consent or is necessary for the performance of a contract with the data subject and where the data controller processes the data by automated means);
- The right, where there is a dispute in relation to the accuracy or processing of your personal data, to request a restriction is placed on further processing;
- The right to object to the processing of personal data, (where applicable i.e. where processing is based on legitimate interests (or the performance of a task in the public interest/exercise of official authority); direct marketing and processing for the purposes of scientific/historical research and statistics).
9. Transfer of Data Abroad
We use cloud-based systems to process data and therefore data may be processed outside of the European Economic Area (EEA). We adopt the Information Commissioners approved measures and therefore ensure that personal data is held in compliance with European data protection regulations. We take all reasonable steps to ensure that your data is stored and processed securely in accordance with this policy.
Data Processor outside of EEA Country where data is stored Relevant safeguards implemented to endure safety of your data MailChimp USA Member of EU-U.S. Privacy Shield (Framework self-certification program operated by the U.S. Department of Commerce and approved by the European Commission pursuant to Decision C(2016)4176 of 12 July 2016)
Signed Data Processing Addendum between MailChimp and Crown Church – 17/5/2018
USA Facebook Inc. has certified to the EU-U.S. Privacy Shield Framework with the US Department of Commerce regarding the collection and processing of personal data from our advertisers, customers or business partners in the European Union in connection with the products and services described in the Scope section below and in our certification.
USA Twitter, Inc. complies with the EU-US Privacy Shield principles regarding the collection, use, sharing, and retention of personal information from the European Union as described in our EU-US Privacy Shield certification
10. Automated Decision Making
We do not use any form of automated decision making in our business.
11. Further processing
If we wish to use your personal data for a new purpose, not covered by this Data Privacy Notice, then we will provide you with a new notice explaining this new use prior to commencing the processing and setting out the relevant purposes and processing conditions.
All of our website Cookies exist to enable functionality on the website and not for advertising purposes. If you do not wish these cookies to be tracked you can disable them in your browser, but this may negatively affect your experience on the site.
There are two types of cookie you may encounter when using our website:
First party cookies: these are our own cookies, controlled by us and used to provide information about usage of our site.
Third party cookies: these are cookies found in other companies’ internet tools which we are using to enhance our site, for example Facebook, Twitter and Google have their own cookies, which are controlled by them.
First Party Cookies
exp_last_visit This is set by our Content Management System and records the date/time of a users last visit. Set to last for 1 year. exp_last_activity This is set by our Content Management System and records the last date/time a page was loaded on the site. Set to last for 1 year. exp_tracker Records the last 5 pages viewed. Used to help users return to a page if ever they receive an error message. Set to last for the duration of the users session (until they close their browser). exp_sessionid Tracks the current logged in ExpressionEngine user. exp_tracker Records the last 5 pages viewed. Used to help users return to a page if ever they receive an error message. Set to last for the duration of the users session (until they close their browser). exp_expiration Cookie used by users who log in and choose "remember me" facility. This keeps the user logged in for a year unless they choose to log out (and then cookie is destroyed) Name Purpose of cookie
Third Party Cookies
Any cookie prefixed with __utm These are Google Analytics cookies and are used to track users activity on the site (Pages viewed, length of time on the site, screen resolution and so on). Cookie durations vary from the session (until the user closes their browser window) and up to 2 years. _twitter_sess, twid, auth_token, original_referrer, remember_checked These are Twitter cookies that determine whether you are logged in to twitter during your browser session. They also allow you to tweet about a page and record the number of times a page has been tweeted. SID, c_user, act, presence, locale, x-src, s These are Facebook cookies that determine whether you are logged in to facebook during your browser session. They also allow you to like a page and record the number of times a page has been liked. Name Purpose of cookie
14. How to make a complaint
To exercise all relevant rights, queries or complaints please in the first instance contact us at firstname.lastname@example.org or write to us at: Data Security Manager, Crown Church, The Living Room, High Street, Cowley, Uxbridge, UB8 2DZ.
If this does not resolve your complaint to your satisfaction, you have the right to lodge a complaint with the Information Commissioners Office on 03031231113 or via email https://ico.org.uk/global/contact-us/email/ or at the Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF, England.
15. Glossary of terms
Data controller - A controller determines the purposes and means of processing personal data
Data processor - A processor is responsible for processing personal data on behalf of a controller
Data subject – Natural person
Categories of data: Personal data and special categories of personal data
Personal data - The GDPR applies to 'personal data' meaning any information relating to an identifiable person who can be directly or indirectly identified in particular by reference to an identifier (as explained in Article 6 of GDPR). For example name, passport number, home address or private email address. Online identifiers include IP addresses and cookies.
Special categories of personal data - The GDPR refers to sensitive personal data as ‘special categories of personal data’ (as explained in Article 9 of GDPR). The special categories specifically include genetic data, and biometric data where processed to uniquely identify an individual. Other examples include racial and ethnic origin, sexual orientation, health data, trade union membership, political opinions, religious or philosophical beliefs.
Processing - means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
Third party - means a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data.